diff options
Diffstat (limited to 'MIBS/watchguard/IPSEC-ISAKMP-IKE-DOI-TC')
| -rw-r--r-- | MIBS/watchguard/IPSEC-ISAKMP-IKE-DOI-TC | 712 |
1 files changed, 712 insertions, 0 deletions
diff --git a/MIBS/watchguard/IPSEC-ISAKMP-IKE-DOI-TC b/MIBS/watchguard/IPSEC-ISAKMP-IKE-DOI-TC new file mode 100644 index 0000000..7c044f0 --- /dev/null +++ b/MIBS/watchguard/IPSEC-ISAKMP-IKE-DOI-TC @@ -0,0 +1,712 @@ +IPSEC-ISAKMP-IKE-DOI-TC DEFINITIONS ::= BEGIN + + IMPORTS + -- make this mib a temporary watchguard extension before it becomes RFC + watchguard + FROM WATCHGUARD-MIB + -- delete next line before release + experimental, + MODULE-IDENTITY, Unsigned32 FROM SNMPv2-SMI + -- uncomment next line before release + mib-2 FROM RFC1213-MIB + TEXTUAL-CONVENTION FROM SNMPv2-TC; + + ipsecIsakmpIkeDoiTC MODULE-IDENTITY + LAST-UPDATED "9907132145Z" + ORGANIZATION "Shiva" + CONTACT-INFO "John Shriver + Intel Corporation + 28 Crosby Drive + Bedford, MA 01730 + + Phone: + +1-781-687-1329 + + E-mail: + John.Shriver@intel.com" + + DESCRIPTION "The MIB module which defines the textual conventions + used in IPSEC MIBs. This includes Internet DOI + numbers defined in RFC 2407, ISAKMP numbers defined + in RFC 2408, and IKE numbers defined in RFC 2409. + + These Textual Conventions are defined in a seperate + MIB module since they are protocol numbers managed + by the IANA. Revision control after publication + will be under the authority of the IANA." + REVISION "9902181705Z" + DESCRIPTION "Added IsakmpDOI TEXTUAL-CONVENTION." + REVISION "9903051545Z" + DESCRIPTION "Changed CONTACT-INFO." + REVISION "9907132145Z" + DESCRIPTION "Put in real experimental branch number for module." + REVISION "9910051705Z" + DESCRIPTION "Added exchange types, tracked IKE standard. Split + IkeNotifyMessageType off of IsakmpNotifyMessageType." + REVISION "9910151950Z" + DESCRIPTION "Removed stray comma in IsakmpNotifyMessageType." + + -- replace xxx in next line before release, uncomment before release + -- ::= { mib-2 xxx } + -- delete next line before release + -- ::= { experimental 100 } + ::= { watchguard 100 } + -- The first group of textual conventions are based on definitions + -- in the IPSEC DOI, RFC 2407. + + IpsecDoiSituation ::= TEXTUAL-CONVENTION + DISPLAY-HINT "x" + STATUS current + DESCRIPTION "The IPSEC DOI Situation provides information that + can be used by the responder to make a policy + determination about how to process the incoming + Security Association request. + + It is a four (4) octet bitmask, with the following + values: + + sitIdentityOnly 0x01 + sitSecrecy 0x02 + sitIntegrity 0x04 + + The upper two bits (0x80000000 and 0x40000000) are + reserved for private use amongst cooperating + systems." + REFERENCE "RFC 2407 sections 4.2 and 6.2" + SYNTAX Unsigned32 (0..4294967295) + -- The syntax is not BITS, because we want the representation + -- to be the same here as it is in the ISAKMP/IKE protocols. + + + IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "These are the IPSEC DOI values for the Protocol-Id + field in an ISAKMP Proposal Payload, and in all + Notification Payloads. + + They are also used as the Protocol-ID In the + Notification Payload and the Delete Payload. + + The values 249-255 are reserved for private use + amongst cooperating systems." + REFERENCE "RFC 2407 section 4.4.1" + SYNTAX INTEGER { + reserved(0), -- reserved in DOI + protoIsakmp(1), -- message protection + -- required during Phase I + -- of the IKE protocol + protoIpsecAh(2), -- IP packet authentication + -- via Authentication Header + protoIpsecEsp(3), -- IP packet confidentiality + -- via Encapsulating + -- Security Payload + protoIpcomp(4) -- IP payload compression + } + + IpsecDoiTransformIdent ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "The IPSEC DOI ISAKMP Transform Identifier is an + 8-bit value which identifies a key exchange protocol + to be used for the negotiation. It is used in the + Transform-Id field of an IKE Phase I Transform + Payload. + + The values 249-255 are reserved for private use + amongst cooperating systems." + REFERENCE "RFC 2407 sections 4.4.2 and 6.3" + SYNTAX INTEGER { + reserved(0), -- reserved in DOI + keyIke(1) -- the hybrid ISAKMP/Oakley + -- Diffie-Hellman key + -- exchange + } + + IpsecDoiAhTransform ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "The IPSEC DOI AH Transform Identifier is an 8-bit + value which identifies a particular algorithm to be + used to provide integrity protection for AH. It is + used in the Tranform-ID field of a ISAKMP Transform + Payload for the IPSEC DOI, when the Protocol-Id of + the associated Proposal Payload is 2 (AH). + + The values 249-255 are reserved for private use + amongst cooperating systems." + REFERENCE "RFC 2407 sections 4.4.3 and 6.4" + SYNTAX INTEGER { + reserved(0), -- reserved in DOI + reserved1(1), -- reserved + ahMd5(2), -- generic AH transform + -- using MD5 + ahSha(3), -- generic AH transform + -- using SHA-1 + ahDes(4) -- generic AH transform + -- using DES + } + + IpsecDoiEspTransform ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "The IPSEC DOI ESP Transform Identifier is an 8-bit + value which identifies a particular algorithm to be + used to provide secrecy protection for ESP. It is + used in the Tranform-ID field of a ISAKMP Transform + Payload for the IPSEC DOI, when the Protocol-Id of + the associated Proposal Payload is 2 (AH), 3 (ESP), + and 4 (IPCOMP). + + The values 249-255 are reserved for private use + amongst cooperating systems." + REFERENCE "RFC 2407 sections 4.4.4 and 6.5" + SYNTAX INTEGER { + reserved(0), -- reserved in DOI + espDesIv64(1), -- DES-CBC transform defined + -- in RFC 1827 and RFC 1829 + -- using a 64-bit IV + espDes(2), -- generic DES transform + -- using DES-CBC + esp3Des(3), -- generic triple-DES + -- transform + espRc5(4), -- RC5 transform + espIdea(5), -- IDEA transform + espCast(6), -- CAST transform + espBlowfish(7), -- BLOWFISH transform + esp3Idea(8), -- reserved for triple-IDEA + espDesIv32(9), -- DES-CBC transform defined + -- in RFC 1827 and RFC 1829 + -- using a 32-bit IV + espRc4(10), -- reserved for RC4 + espNull(11) -- no confidentiality + -- provided by ESP + } + + IpsecDoiAuthAlgorithm ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "The ESP Authentication Algorithm used in the IPSEC + DOI as a SA Attributes definition in the Transform + Payload of Phase II of an IKE negotiation. This + set of values defines the AH authentication + algorithm, when the associated Proposal Payload has + a Protocol-ID of 2 (AH). This set of values + defines the ESP authentication algorithm, when the + associated Proposal Payload has a Protocol-ID + of 3 (ESP). + + Values 5-61439 are reserved to IANA. + + Values 61440-65535 are for private use. + + In a MIB, a value of 0 indicates that ESP + has been negotiated without authentication." + REFERENCE "RFC 2407 section 4.5" + SYNTAX INTEGER { + reserved(0), -- reserved in DOI + hmacMd5(1), + hmacSha(2), + desMac(3), + kpdk(4) + } + + IpsecDoiIpcompTransform ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "The IPSEC DOI IPCOMP Transform Identifier is an + 8-bit value which identifies a particular algorithm + to be used to provide IP-level compression before + ESP. It is used in the Tranform-ID field of a ISAKMP + Transform Payload for the IPSEC DOI, when the + Protocol-Id of the associated Proposal Payload + is 4 (IPCOMP). + + The values 1-47 are reserved for algorithms for which + an RFC has been approved for publication. + + The values 48-63 are reserved for private use amongst + cooperating systems. + + The values 64-255 are reserved for future expansion." + REFERENCE "RFC 2407 sections 4.4.5 and 6.6" + SYNTAX INTEGER { + reserved(0), -- reserved in DOI + ipcompOui(1), -- proprietary compression + -- transform + ipcompDeflate(2), -- "zlib" deflate algorithm + ipcompLzs(3) -- Stac Electronics LZS + } + + IpsecDoiEncapsulationMode ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "The Encapsulation Mode used as an IPSEC DOI + SA Attributes definition in the Transform Payload + of a Phase II IKE negotiation. This set of + values defines encapsulation modes used for AH, + ESP, and IPCOMP when the associated Proposal Payload + has a Protocol-ID of 3 (ESP). + + Values 3-61439 are reserved to IANA. + + Values 61440-65535 are for private use." + SYNTAX INTEGER { + reserved(0), -- reserved in DOI + tunnel(1), + transport(2) + } + + IpsecDoiIdentType ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "The IPSEC DOI Identification Type is an 8-bit value + which is used in the ID Type field as a discriminant + for interpretation of the variable-length + Identification Payload. + + The values 249-255 are reserved for private use + amongst cooperating systems." + REFERENCE "RFC 2407 sections 4.4.5, 4.6.2.1, and 6.9" + SYNTAX INTEGER { + reserved(0), -- reserved in DOI + idIpv4Addr(1), -- a single four (4) octet + -- IPv4 address + idFqdn(2), -- fully-qualified domain + -- name string + idUserFqdn(3), -- fully-qualified username + -- string + idIpv4AddrSubnet(4), + -- a range of IPv4 addresses, + -- represented by two + -- four (4) octet values, + -- where the first is an + -- address and the second + -- is a mask + idIpv6Addr(5), -- a single sixteen (16) + -- octet IPv6 address + idIpv6AddrSubnet(6), + -- a range of IPv6 addresses, + -- represented by two + -- sixteen (16) octet values, + -- where the first is an + -- address and the second + -- is a mask + idIpv4AddrRange(7), -- a range of IPv4 addresses, + -- represented by two + -- four (4) octet values, + -- where the first is the + -- beginning IPv4 address + -- and the second is the + -- ending IPv4 address + idIpv6AddrRange(8), -- a range of IPv6 addresses, + -- represented by two + -- sixteen (16) octet values, + -- where the first is the + -- beginning IPv6 address + -- and the second is the + -- ending IPv6 address + idDerAsn1Dn(9), -- the binary DER encoding of + -- ASN1 X.500 + -- DistinguishedName + idDerAsn1Gn(10), -- the binary DER encoding of + -- ASN1 X.500 GeneralName + idKeyId(11) -- opaque byte stream which + -- may be used to pass + -- vendor-specific + -- information + } + + -- The second group of textual conventions are based on defintions + -- the ISAKMP protocol, RFC 2408. + + IsakmpDOI ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "These are the domain of interpretation values for + the ISAKMP Protocol. They are a 32-bit value + used in the Domain of Interpretation field of the + Security Association Payload. + Values 2-4294967295 are reserved to the IANA." + REFERENCE "RFC 2048 section 3.4." + SYNTAX INTEGER { + isakmp(0), -- generic ISAKMP SA in + -- Phase 1, which can be + -- used for any protocol + -- in Phase 2 + ipsecDOI(1) -- the IPsec DOI as + -- specified in RFC 2407 + } + + IsakmpCertificateEncoding ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "These are the values for the types of + certificate-related information contained in the + Certificate Data field of a Certificate Payload. + They are used in the Cert Encoding field of the + Certificate Payload. + + Values 11-255 are reserved." + REFERENCE "RFC 2408 section 3.9" + SYNTAX INTEGER { + pkcs7(1), -- PKCS #7 wrapped + -- X.509 certificate + pgp(2), -- PGP Certificate + dnsSignedKey(3), -- DNS Signed Key + x509Signature(4), -- X.509 Certificate: + -- Signature + x509KeyExchange(5), -- X.509 Certificate: + -- Key Exchange + kerberosTokens(6), -- Kerberos Tokens + crl(7), -- Certificate Revocation + -- List (CRL) + arl(8), -- Authority Revocation + -- List (ARL) + spki(9), -- SPKI Certificate + x509Attribute(10) -- X.509 Certificate: + -- Attribute + } + + IsakmpExchangeType ::= TEXTUAL-CONVENTION + -- + -- When revising IsakmpExchangeType, consider revising + -- IkeExchangeType as well. + -- + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "These are the values used for the exchange types in + the ISAKMP header. + + Values up to 31 are reserved for future + DOI-independent assignment for ISAKMP. + + The values 240-255 are reserved for private use + amongst cooperating systems." + REFERENCE "RFC 2408 section 3.1" + SYNTAX INTEGER { + reserved(0), + base(1), -- base mode + identityProtect(2), -- identity protection + authOnly(3), -- authentication only + aggressive(4), -- aggressive mode + informational(5) -- informational + } + + IsakmpNotifyMessageType ::= TEXTUAL-CONVENTION + -- + -- If you change this, you probably want to + -- change IkeNotifyMessageType. + -- + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "These are the values for the types of notification + messages. They are used as the Notify Message Type + field in the Notification Payload. + + This textual convention merges the types + for error types (in the range 1-16386) and for + notification types (in the range 16384-65535). + + The values 16001-16383 are reserved for private use + as error types amongst cooperating systems. + + The values 24576-32767 are reserved for use in + each DOI. Each DOI should have a clone of this + textual convention adding local values. + + The values 32768-40958 are reserved for private use + as notification types amongst cooperating systems." + REFERENCE "RFC 2408 section 3.14.1" + SYNTAX INTEGER { + + -- Values defined for errors in ISAKMP + -- + reserved(0), -- reserved in DOI + invalidPayloadType(1), + doiNotSupported(2), + situationNotSupported(3), + invalidCookie(4), + invalidMajorVersion(5), + invalidMinorVersion(6), + invalidExchangeType(7), + invalidFlags(8), + invalidMessageId(9), + invalidProtocolId(10), + invalidSpi(11), + invalidTransformId(12), + attributesNotSupported(13), + noProposalChosen(14), + badProposalSyntax(15), + payloadMalformed(16), + invalidKeyInformation(17), + invalidIdInformation(18), + invalidCertEncoding(19), + invalidCertificate(20), + certTypeUnsupported(21), + invalidCertAuthority(22), + invalidHashInformation(23), + authenticationFailed(24), + invalidSignature(25), + addressNotification(26), + notifySaLifetime(27), + certificateUnavailable(28), + unsupportedExchangeType(29), + unequalPayloadLengths(30) + + -- values defined for errors in IPSEC DOI + -- (none) + + -- values defined for notification in ISAKMP + -- (none) + + -- values defined for notification in + -- each DOI (clone this TC) + } + + + -- The third group of textual conventions are based on defintions + -- the IKE key exchange protocol, RFC 2409. + + IkeExchangeType ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "These are the values used for the exchange types in + the ISAKMP header. + + The values 32-239 are DOI-specific, these values are + for the IPSec DOI used by IKE. + + The values 240-255 are reserved for private use + amongst cooperating systems." + REFERENCE "RFC 2409 Appendix A, + draft-ietf-ipsec-ike-01.txt appendix A" + SYNTAX INTEGER { + reserved(0), + base(1), -- base mode + mainMode(2), -- main mode + authOnly(3), -- authentication only + aggressive(4), -- aggressive mode + informational(5), -- informational + quickMode(32), -- quick mode + newGroupMode(33), -- new group mode + acknowledgedInfo(34) + -- acknowledged informational + } + + IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "Values for encryption algorithms negotiated + for the ISAKMP SA by IKE in Phase I. These are + values for SA Attrbute type Encryption + Algorithm (1). + + Values 7-65000 are reserved to IANA. + + Values 65001-65535 are for private use among + mutually consenting parties." + REFERENCE "RFC 2409 appendix A" + SYNTAX INTEGER { + reserved(0), -- reserved in IKE + desCbc(1), -- RFC 2405 + ideaCbc(2), + blowfishCbc(3), + rc5R16B64Cbc(4), -- RC5 R16 B64 CBC + tripleDesCbc(5), -- 3DES CBC + castCbc(6) + } + + IkeHashAlgorithm ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "Values for hash algorithms negotiated + for the ISAKMP SA by IKE in Phase I. These are + values for SA Attrbute type Hash Algorithm (2). + + Values 4-65000 are reserved to IANA. + + Values 65001-65535 are for private use among + mutually consenting parties." + REFERENCE "RFC 2409 appendix A" + SYNTAX INTEGER { + reserved(0), -- reserved in IKE + md5(1), -- RFC 1321 + sha(2), -- FIPS 180-1 + tiger(3) + } + + IkeAuthMethod ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "Values for authentication methods negotiated + for the ISAKMP SA by IKE in Phase I. These are + values for SA Attrbute type Authentication + Method (3). + + Values 6-65000 are reserved to IANA. + + Values 65001-65535 are for private use among + mutually consenting parties." + REFERENCE "RFC 2409 appendix A, + draft-ietf-ipsec-ike-01.txt appendix A" + SYNTAX INTEGER { + reserved(0), -- reserved in IKE + preSharedKey(1), + dssSignatures(2), + rsaSignatures(3), + encryptionWithRsa(4), + revisedEncryptionWithRsa(5), + encryptionWithElGamal(6), + revisedEncryptionWithElGamal(7) + } + + IkeGroupDescription ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "Values for Oakley key computation groups for + Diffie-Hellman exchange negotiated for the ISAKMP + SA by IKE in Phase I. They are also used in Phase II + when perfect forward secrecy is in use. These are + values for SA Attrbute type Group Description (4)." + REFERENCE "RFC 2409 appendix A, + draft-ietf-ipsec-ike-01.txt appendix A" + SYNTAX INTEGER { + reserved(0), -- reserved in IKE + modp768(1), -- default 768-bit MODP group + modp1024(2), -- alternate 1024-bit MODP + -- group + ec2nGalois2P155(3), -- EC2N group on Galois + -- Field GF[2^155] + ec2nGalois2P185(4), -- EC2N group on Galois + -- Field GF[2^185] + modp1536(5) -- alternate 1536-bit MODP + -- group + } + + IkeGroupType ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "Values for Oakley key computation group types + negotiated for the ISAKMP SA by IKE in Phase I. + They are also used in Phase II when perfect forward + secrecy is in use. These are values for SA Attribute + type Group Type (5)." + REFERENCE "RFC 2409 appendix A" + SYNTAX INTEGER { + reserved(0), -- reserved in IKE + modp(1), -- modular eponentiation + + -- group + ecp(2), -- elliptic curve group over + -- Galois Field GF[P] + ec2n(3) -- elliptic curve group over + -- Galois Field GF[2^N] + } + + IkePrf ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "Values for Pseudo-Random Functions used with + with the hash algorithm negotiated for the ISAKMP SA + by IKE in Phase I. There are currently no + pseudo-random functions defined, the default HMAC is + always used. These are values for SA Attribute type + PRF (13). + + Values 1-65000 are reserved to IANA. + + Values 65001-65535 are for private use among + mutually consenting parties." + REFERENCE "RFC 2409 appendix A" + SYNTAX Unsigned32 (0..65535) + + IkeNotifyMessageType ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "These are the values for the types of notification + messages. They are used as the Notify Message Type + field in the Notification Payload. + + This textual convention merges the types + for error types (in the range 1-16386) and for + notification types (in the range 16384-65535). + + This textual convention is a merge of values + defined by ISAKMP with the additional values + defined in the IPSEC DOI. + + The values 16001-16383 are reserved for private use + as error types amongst cooperating systems. + + The values 32001-32767 are reserved for private use + as notification types amongst cooperating systems." + REFERENCE "RFC 2408 section 3.14.1 and RFC 2407 sections 4.6.3 + and 6.10" + SYNTAX INTEGER { + + -- Values defined for errors in ISAKMP + -- + reserved(0), -- reserved in DOI + invalidPayloadType(1), + doiNotSupported(2), + situationNotSupported(3), + invalidCookie(4), + invalidMajorVersion(5), + invalidMinorVersion(6), + invalidExchangeType(7), + invalidFlags(8), + invalidMessageId(9), + invalidProtocolId(10), + invalidSpi(11), + invalidTransformId(12), + attributesNotSupported(13), + noProposalChosen(14), + badProposalSyntax(15), + payloadMalformed(16), + invalidKeyInformation(17), + invalidIdInformation(18), + invalidCertEncoding(19), + invalidCertificate(20), + certTypeUnsupported(21), + invalidCertAuthority(22), + invalidHashInformation(23), + authenticationFailed(24), + invalidSignature(25), + addressNotification(26), + notifySaLifetime(27), + certificateUnavailable(28), + unsupportedExchangeType(29), + unequalPayloadLengths(30), + + -- values defined for errors in IPSEC DOI + -- (none) + + -- values defined for notification in ISAKMP + -- (none) + + -- values defined for notification in IPSEC + -- DOI + responderLifetime(24576), + -- used to communicate IPSEC + -- SA lifetime chosen by the + -- responder + + replayStatus(24577), + -- used for positive + -- confirmation of the + -- responder's election on + -- whether or not he is to + -- perform anti-replay + -- detection + + initialContact(24578) + -- used when one side wishes + -- to inform the other that + -- this is the first SA being + -- established with the + -- remote system + } +END + + |